[Zope3-checkins] SVN: Zope3/branches/ZopeX3-3.0/src/zope/ Merged
from trunk
Jim Fulton
jim at zope.com
Thu Jul 29 01:07:57 EDT 2004
Log message for revision 26828:
Merged from trunk
r26826 | jim | 2004-07-29 00:57:37 -0400 (Thu, 29 Jul 2004) | 13 lines
Added untrusted dtml support
- Added restricted compilation of python functions
- Added more careful getting of instance attrs
- Added additional hooks in the trusted code to
make swithing in untrusted versions possible.
- Centralized the untrusted support so that it's easier to use it, for
example in both dtmlpage and sqlscript.
Changed:
U Zope3/branches/ZopeX3-3.0/src/zope/app/dtmlpage/dtmlpage.py
U Zope3/branches/ZopeX3-3.0/src/zope/app/sqlscript/dtml.py
U Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_in.py
U Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_string.py
U Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_try.py
U Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_util.py
U Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_with.py
U Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/pdocumenttemplate.py
A Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/untrusted/
_U Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/untrusted/README.txt
_U Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/untrusted/__init__.py
_U Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/untrusted/tests.py
_U Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/untrusted/untrusted.py
-=-
Modified: Zope3/branches/ZopeX3-3.0/src/zope/app/dtmlpage/dtmlpage.py
===================================================================
--- Zope3/branches/ZopeX3-3.0/src/zope/app/dtmlpage/dtmlpage.py 2004-07-29 05:00:21 UTC (rev 26827)
+++ Zope3/branches/ZopeX3-3.0/src/zope/app/dtmlpage/dtmlpage.py 2004-07-29 05:07:57 UTC (rev 26828)
@@ -17,7 +17,7 @@
from persistent import Persistent
from zope.security.proxy import ProxyFactory
-from zope.documenttemplate.dt_html import HTML
+from zope.documenttemplate.untrusted import UntrustedHTML
from zope.interface import implements
from zope.app.annotation.interfaces import IAnnotatable
@@ -39,22 +39,14 @@
def setSource(self, text, content_type='text/html'):
'''See interface IDTMLPage'''
- self.template = HTML(text)
+ self.template = UntrustedHTML(text)
self.content_type = content_type
def render(self, request, *args, **kw):
"""See interface IDTMLRenderPage"""
+ return self.template(self.__parent__, request, REQUEST=request, **kw)
- instance = ProxyFactory(self.__parent__)
- request = ProxyFactory(request)
- for k in kw:
- kw[k] = ProxyFactory(kw[k])
- kw['REQUEST'] = request
-
- return self.template(instance, request, **kw)
-
-
__call__ = render
source = property(getSource, setSource, None,
Modified: Zope3/branches/ZopeX3-3.0/src/zope/app/sqlscript/dtml.py
===================================================================
--- Zope3/branches/ZopeX3-3.0/src/zope/app/sqlscript/dtml.py 2004-07-29 05:00:21 UTC (rev 26827)
+++ Zope3/branches/ZopeX3-3.0/src/zope/app/sqlscript/dtml.py 2004-07-29 05:07:57 UTC (rev 26828)
@@ -19,6 +19,7 @@
from zope.documenttemplate.dt_html import HTML
from zope.documenttemplate.dt_util import ParseError, parse_params, name_param
+from zope.documenttemplate.untrusted import UntrustedHTML
from interfaces import MissingInput
@@ -78,7 +79,10 @@
return ''
raise KeyError, key, sys.exc_info()[2]
- if isinstance(v, (list, tuple)):
+ if (list in v.__class__.__mro__ # isinstance doesn't work w
+ or # security proxies, so we use
+ tuple in v.__class__.__mro__ # this __mro__ trick.
+ ):
if len(v) > 1 and not self.multiple:
raise 'Multiple Values', (
'multiple values are not allowed for <em>%s</em>'
@@ -273,7 +277,7 @@
__call__ = render
-class SQLDTML(HTML):
+class SQLDTML(UntrustedHTML):
__name__ = 'SQLDTML'
commands = HTML.commands.copy()
Modified: Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_in.py
===================================================================
--- Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_in.py 2004-07-29 05:00:21 UTC (rev 26827)
+++ Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_in.py 2004-07-29 05:07:57 UTC (rev 26828)
@@ -315,10 +315,8 @@
$Id$
"""
-from zope.documenttemplate.dt_util import \
- ParseError, parse_params, name_param
-from zope.documenttemplate.dt_util import \
- render_blocks, InstanceDict, ValidationError, Eval
+from zope.documenttemplate.dt_util import ParseError, parse_params, name_param
+from zope.documenttemplate.dt_util import render_blocks, ValidationError, Eval
import re
from zope.documenttemplate.dt_insv import sequence_variables, opt
@@ -583,7 +581,7 @@
if mapping:
push(client)
else:
- push(InstanceDict(client, md))
+ md._push_instance(client)
try:
append(render(section, md))
@@ -680,7 +678,7 @@
if mapping:
push(client)
else:
- push(InstanceDict(client, md))
+ md._push_instance(client)
try:
append(render(section, md))
Modified: Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_string.py
===================================================================
--- Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_string.py 2004-07-29 05:00:21 UTC (rev 26827)
+++ Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_string.py 2004-07-29 05:07:57 UTC (rev 26828)
@@ -17,8 +17,7 @@
"""
import re, thread
-from zope.documenttemplate.dt_util import \
- ParseError, InstanceDict, TemplateDict, render_blocks
+from zope.documenttemplate.dt_util import ParseError, render_blocks
from zope.documenttemplate.dt_var import Var, Call, Comment
from zope.documenttemplate.dt_return import ReturnTag, DTReturn
@@ -44,6 +43,8 @@
"""
+ from zope.documenttemplate.dt_util import TemplateDict
+
# Document Templates masquerade as functions:
class func_code:
pass
@@ -422,7 +423,7 @@
pushed=None
try:
- if mapping.__class__ is TemplateDict:
+ if isinstance(mapping, self.TemplateDict):
pushed=0
except:
pass
@@ -436,7 +437,7 @@
push(self.globals)
pushed = pushed+1
else:
- md = TemplateDict()
+ md = self.TemplateDict()
push = md._push
shared_globals = self.shared_globals
if shared_globals:
@@ -463,11 +464,11 @@
# if client is a tuple, it represents a "path" of clients
# which should be pushed onto the md in order.
for ob in client:
- push(InstanceDict(ob, md)) # Circ. Ref. 8-|
+ md._push_instance(ob)
pushed += 1
else:
# otherwise its just a normal client object.
- push(InstanceDict(client, md)) # Circ. Ref. 8-|
+ md._push_instance(client)
pushed += 1
if self._vars:
Modified: Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_try.py
===================================================================
--- Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_try.py 2004-07-29 05:00:21 UTC (rev 26827)
+++ Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_try.py 2004-07-29 05:07:57 UTC (rev 26828)
@@ -18,9 +18,8 @@
import sys, traceback
from StringIO import StringIO
-from zope.documenttemplate.dt_util \
- import ParseError, parse_params, render_blocks
-from zope.documenttemplate.dt_util import InstanceDict
+from zope.documenttemplate.dt_util import ParseError, parse_params
+from zope.documenttemplate.dt_util import render_blocks
from zope.documenttemplate.dt_return import DTReturn
from types import StringType
@@ -181,7 +180,7 @@
error_tb = f.getvalue()
ns = md.namespace(error_type=errname, error_value=v,
error_tb=error_tb)[0]
- md._push(InstanceDict(ns,md))
+ md._push_instance(ns)
return render_blocks(handler, md)
finally:
md._pop(1)
Modified: Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_util.py
===================================================================
--- Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_util.py 2004-07-29 05:00:21 UTC (rev 26827)
+++ Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_util.py 2004-07-29 05:07:57 UTC (rev 26828)
@@ -19,7 +19,9 @@
from types import ListType, StringType, TupleType
-from zope.documenttemplate.pdocumenttemplate import InstanceDict, TemplateDict
+# These imports are for the use of clients of this module, as this
+# module is the canonical place to get them.
+from zope.documenttemplate.pdocumenttemplate import TemplateDict, InstanceDict
from zope.documenttemplate.pdocumenttemplate import render_blocks
class ParseError(Exception):
@@ -64,8 +66,8 @@
def eval(self, mapping):
- d={'_vars': mapping,
- '_': mapping}
+ d={'_vars': mapping._proxied(),
+ '_': mapping._proxied()}
code = self.code
for name in code.co_names:
if not d.has_key(name):
@@ -78,7 +80,9 @@
# does need the name, a NameError will occur.
pass
- return eval(code, {'__builtins__': None}, d)
+ return eval(code,
+ {'__builtins__': getattr(mapping, '__builtins__', None)},
+ d)
def __call__(self, **kw):
Modified: Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_with.py
===================================================================
--- Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_with.py 2004-07-29 05:00:21 UTC (rev 26827)
+++ Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/dt_with.py 2004-07-29 05:07:57 UTC (rev 26828)
@@ -35,9 +35,8 @@
$Id$
"""
-from zope.documenttemplate.dt_util import \
- parse_params, name_param, InstanceDict, render_blocks
-from zope.documenttemplate.dt_util import TemplateDict
+from zope.documenttemplate.dt_util import parse_params, name_param
+from zope.documenttemplate.dt_util import render_blocks
from types import StringTypes, TupleType
@@ -70,18 +69,19 @@
else:
v = expr(md)
- if not self.mapping:
- if isinstance(v, TupleType) and len(v) == 1:
- v = v[0]
- v = InstanceDict(v, md)
-
if self.only:
_md = md
- md = TemplateDict()
+ md = md.__class__()
if hasattr(_md, 'validate'):
md.validate = _md.validate
- md._push(v)
+ if self.mapping:
+ md._push(v)
+ else:
+ if isinstance(v, TupleType) and len(v) == 1:
+ v = v[0]
+ md._push_instance(v)
+
try:
return render_blocks(self.section, md)
finally:
Modified: Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/pdocumenttemplate.py
===================================================================
--- Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/pdocumenttemplate.py 2004-07-29 05:00:21 UTC (rev 26827)
+++ Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/pdocumenttemplate.py 2004-07-29 05:07:57 UTC (rev 26828)
@@ -54,12 +54,6 @@
inst = self.self
- if key[:1] == '_':
- if key != '__str__':
- raise KeyError, key # Don't divuldge private data
- else:
- return str(inst)
-
try:
r = getattr(inst, key)
except AttributeError:
@@ -122,6 +116,12 @@
def _push(self, d):
return self.dicts.push(d)
+ def _push_instance(self, inst):
+ self._push(InstanceDict(inst, self))
+
+ def _proxied(self):
+ return self
+
def __init__(self):
m = self.dicts = MultiMapping()
self._pop = m.pop
Copied: Zope3/branches/ZopeX3-3.0/src/zope/documenttemplate/untrusted (from rev 26826, Zope3/trunk/src/zope/documenttemplate/untrusted)
More information about the Zope3-Checkins
mailing list